asan_report.cc revision cc347222d55967fdb775429a8a0a3a5d795b8b50
1f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck//===-- asan_report.cc ----------------------------------------------------===// 2767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// 3767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// The LLVM Compiler Infrastructure 4767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// 5767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// This file is distributed under the University of Illinois Open Source 6767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// License. See LICENSE.TXT for details. 7767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// 8767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola//===----------------------------------------------------------------------===// 9767b1be3900bdc693aa0ad3e554ba034845f67f7Rafael Espindola// 10f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck// This file is a part of AddressSanitizer, an address sanity checker. 11f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck// 12f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck// This file contains error reporting code. 13f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck//===----------------------------------------------------------------------===// 14f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_flags.h" 15f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_internal.h" 16f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_mapping.h" 17f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_report.h" 18f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_stack.h" 19f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_thread.h" 20f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck#include "asan_thread_registry.h" 21f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck 22f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Riecknamespace __asan { 23f89da7210b09a0a0f7c9ee216cd54dca03c6b64aNico Rieck 24// -------------------- User-specified callbacks ----------------- {{{1 25static void (*error_report_callback)(const char*); 26static char *error_message_buffer = 0; 27static uptr error_message_buffer_pos = 0; 28static uptr error_message_buffer_size = 0; 29 30void AppendToErrorMessageBuffer(const char *buffer) { 31 if (error_message_buffer) { 32 uptr length = internal_strlen(buffer); 33 CHECK_GE(error_message_buffer_size, error_message_buffer_pos); 34 uptr remaining = error_message_buffer_size - error_message_buffer_pos; 35 internal_strncpy(error_message_buffer + error_message_buffer_pos, 36 buffer, remaining); 37 error_message_buffer[error_message_buffer_size - 1] = '\0'; 38 // FIXME: reallocate the buffer instead of truncating the message. 39 error_message_buffer_pos += remaining > length ? length : remaining; 40 } 41} 42 43static void (*on_error_callback)(void); 44 45// ---------------------- Helper functions ----------------------- {{{1 46 47static void PrintBytes(const char *before, uptr *a) { 48 u8 *bytes = (u8*)a; 49 uptr byte_num = (__WORDSIZE) / 8; 50 Printf("%s%p:", before, (void*)a); 51 for (uptr i = 0; i < byte_num; i++) { 52 Printf(" %x%x", bytes[i] >> 4, bytes[i] & 15); 53 } 54 Printf("\n"); 55} 56 57static void PrintShadowMemoryForAddress(uptr addr) { 58 if (!AddrIsInMem(addr)) 59 return; 60 uptr shadow_addr = MemToShadow(addr); 61 Printf("Shadow byte and word:\n"); 62 Printf(" %p: %x\n", (void*)shadow_addr, *(unsigned char*)shadow_addr); 63 uptr aligned_shadow = shadow_addr & ~(kWordSize - 1); 64 PrintBytes(" ", (uptr*)(aligned_shadow)); 65 Printf("More shadow bytes:\n"); 66 for (int i = -4; i <= 4; i++) { 67 const char *prefix = (i == 0) ? "=>" : " "; 68 PrintBytes(prefix, (uptr*)(aligned_shadow + i * kWordSize)); 69 } 70} 71 72static void PrintZoneForPointer(uptr ptr, uptr zone_ptr, 73 const char *zone_name) { 74 if (zone_ptr) { 75 if (zone_name) { 76 Printf("malloc_zone_from_ptr(%p) = %p, which is %s\n", 77 ptr, zone_ptr, zone_name); 78 } else { 79 Printf("malloc_zone_from_ptr(%p) = %p, which doesn't have a name\n", 80 ptr, zone_ptr); 81 } 82 } else { 83 Printf("malloc_zone_from_ptr(%p) = 0\n", ptr); 84 } 85} 86 87// ---------------------- Address Descriptions ------------------- {{{1 88 89static bool IsASCII(unsigned char c) { 90 return /*0x00 <= c &&*/ c <= 0x7F; 91} 92 93// Check if the global is a zero-terminated ASCII string. If so, print it. 94static void PrintGlobalNameIfASCII(const __asan_global &g) { 95 for (uptr p = g.beg; p < g.beg + g.size - 1; p++) { 96 if (!IsASCII(*(unsigned char*)p)) return; 97 } 98 if (*(char*)(g.beg + g.size - 1) != 0) return; 99 Printf(" '%s' is ascii string '%s'\n", g.name, (char*)g.beg); 100} 101 102bool DescribeAddressRelativeToGlobal(uptr addr, const __asan_global &g) { 103 if (addr < g.beg - kGlobalAndStackRedzone) return false; 104 if (addr >= g.beg + g.size_with_redzone) return false; 105 Printf("%p is located ", (void*)addr); 106 if (addr < g.beg) { 107 Printf("%zd bytes to the left", g.beg - addr); 108 } else if (addr >= g.beg + g.size) { 109 Printf("%zd bytes to the right", addr - (g.beg + g.size)); 110 } else { 111 Printf("%zd bytes inside", addr - g.beg); // Can it happen? 112 } 113 Printf(" of global variable '%s' (0x%zx) of size %zu\n", 114 g.name, g.beg, g.size); 115 PrintGlobalNameIfASCII(g); 116 return true; 117} 118 119bool DescribeAddressIfShadow(uptr addr) { 120 if (AddrIsInMem(addr)) 121 return false; 122 static const char kAddrInShadowReport[] = 123 "Address %p is located in the %s.\n"; 124 if (AddrIsInShadowGap(addr)) { 125 Printf(kAddrInShadowReport, addr, "shadow gap area"); 126 return true; 127 } 128 if (AddrIsInHighShadow(addr)) { 129 Printf(kAddrInShadowReport, addr, "high shadow area"); 130 return true; 131 } 132 if (AddrIsInLowShadow(addr)) { 133 Printf(kAddrInShadowReport, addr, "low shadow area"); 134 return true; 135 } 136 CHECK(0 && "Address is not in memory and not in shadow?"); 137 return false; 138} 139 140bool DescribeAddressIfStack(uptr addr, uptr access_size) { 141 AsanThread *t = asanThreadRegistry().FindThreadByStackAddress(addr); 142 if (!t) return false; 143 const sptr kBufSize = 4095; 144 char buf[kBufSize]; 145 uptr offset = 0; 146 const char *frame_descr = t->GetFrameNameByAddr(addr, &offset); 147 // This string is created by the compiler and has the following form: 148 // "FunctioName n alloc_1 alloc_2 ... alloc_n" 149 // where alloc_i looks like "offset size len ObjectName ". 150 CHECK(frame_descr); 151 // Report the function name and the offset. 152 const char *name_end = internal_strchr(frame_descr, ' '); 153 CHECK(name_end); 154 buf[0] = 0; 155 internal_strncat(buf, frame_descr, 156 Min(kBufSize, 157 static_cast<sptr>(name_end - frame_descr))); 158 Printf("Address %p is located at offset %zu " 159 "in frame <%s> of T%d's stack:\n", 160 (void*)addr, offset, buf, t->tid()); 161 // Report the number of stack objects. 162 char *p; 163 uptr n_objects = internal_simple_strtoll(name_end, &p, 10); 164 CHECK(n_objects > 0); 165 Printf(" This frame has %zu object(s):\n", n_objects); 166 // Report all objects in this frame. 167 for (uptr i = 0; i < n_objects; i++) { 168 uptr beg, size; 169 sptr len; 170 beg = internal_simple_strtoll(p, &p, 10); 171 size = internal_simple_strtoll(p, &p, 10); 172 len = internal_simple_strtoll(p, &p, 10); 173 if (beg <= 0 || size <= 0 || len < 0 || *p != ' ') { 174 Printf("AddressSanitizer can't parse the stack frame " 175 "descriptor: |%s|\n", frame_descr); 176 break; 177 } 178 p++; 179 buf[0] = 0; 180 internal_strncat(buf, p, Min(kBufSize, len)); 181 p += len; 182 Printf(" [%zu, %zu) '%s'\n", beg, beg + size, buf); 183 } 184 Printf("HINT: this may be a false positive if your program uses " 185 "some custom stack unwind mechanism\n" 186 " (longjmp and C++ exceptions *are* supported)\n"); 187 t->summary()->Announce(); 188 return true; 189} 190 191void DescribeAddress(uptr addr, uptr access_size) { 192 // Check if this is shadow or shadow gap. 193 if (DescribeAddressIfShadow(addr)) 194 return; 195 CHECK(AddrIsInMem(addr)); 196 if (DescribeAddressIfGlobal(addr)) 197 return; 198 if (DescribeAddressIfStack(addr, access_size)) 199 return; 200 // Assume it is a heap address. 201 DescribeHeapAddress(addr, access_size); 202} 203 204// -------------------- Different kinds of reports ----------------- {{{1 205 206// Use ScopedInErrorReport to run common actions just before and 207// immediately after printing error report. 208class ScopedInErrorReport { 209 public: 210 ScopedInErrorReport() { 211 static atomic_uint32_t num_calls; 212 if (atomic_fetch_add(&num_calls, 1, memory_order_relaxed) != 0) { 213 // Do not print more than one report, otherwise they will mix up. 214 // Error reporting functions shouldn't return at this situation, as 215 // they are defined as no-return. 216 Report("AddressSanitizer: while reporting a bug found another one." 217 "Ignoring.\n"); 218 // We can't use infinite busy loop here, as ASan may try to report an 219 // error while another error report is being printed (e.g. if the code 220 // that prints error report for buffer overflow results in SEGV). 221 SleepForSeconds(Max(5, flags()->sleep_before_dying + 1)); 222 Die(); 223 } 224 if (on_error_callback) { 225 on_error_callback(); 226 } 227 Printf("====================================================" 228 "=============\n"); 229 AsanThread *curr_thread = asanThreadRegistry().GetCurrent(); 230 if (curr_thread) { 231 // We started reporting an error message. Stop using the fake stack 232 // in case we call an instrumented function from a symbolizer. 233 curr_thread->fake_stack().StopUsingFakeStack(); 234 } 235 } 236 // Destructor is NORETURN, as functions that report errors are. 237 NORETURN ~ScopedInErrorReport() { 238 // Make sure the current thread is announced. 239 AsanThread *curr_thread = asanThreadRegistry().GetCurrent(); 240 if (curr_thread) { 241 curr_thread->summary()->Announce(); 242 } 243 // Print memory stats. 244 __asan_print_accumulated_stats(); 245 if (error_report_callback) { 246 error_report_callback(error_message_buffer); 247 } 248 Report("ABORTING\n"); 249 Die(); 250 } 251}; 252 253void ReportSIGSEGV(uptr pc, uptr sp, uptr bp, uptr addr) { 254 ScopedInErrorReport in_report; 255 Report("ERROR: AddressSanitizer crashed on unknown address %p" 256 " (pc %p sp %p bp %p T%d)\n", 257 (void*)addr, (void*)pc, (void*)sp, (void*)bp, 258 asanThreadRegistry().GetCurrentTidOrInvalid()); 259 Printf("AddressSanitizer can not provide additional info.\n"); 260 GET_STACK_TRACE_WITH_PC_AND_BP(kStackTraceMax, pc, bp); 261 PrintStack(&stack); 262} 263 264void ReportDoubleFree(uptr addr, StackTrace *stack) { 265 ScopedInErrorReport in_report; 266 Report("ERROR: AddressSanitizer attempting double-free on %p:\n", addr); 267 PrintStack(stack); 268 DescribeHeapAddress(addr, 1); 269} 270 271void ReportFreeNotMalloced(uptr addr, StackTrace *stack) { 272 ScopedInErrorReport in_report; 273 Report("ERROR: AddressSanitizer attempting free on address " 274 "which was not malloc()-ed: %p\n", addr); 275 PrintStack(stack); 276 DescribeHeapAddress(addr, 1); 277} 278 279void ReportMallocUsableSizeNotOwned(uptr addr, StackTrace *stack) { 280 ScopedInErrorReport in_report; 281 Report("ERROR: AddressSanitizer attempting to call " 282 "malloc_usable_size() for pointer which is " 283 "not owned: %p\n", addr); 284 PrintStack(stack); 285 DescribeHeapAddress(addr, 1); 286} 287 288void ReportAsanGetAllocatedSizeNotOwned(uptr addr, StackTrace *stack) { 289 ScopedInErrorReport in_report; 290 Report("ERROR: AddressSanitizer attempting to call " 291 "__asan_get_allocated_size() for pointer which is " 292 "not owned: %p\n", addr); 293 PrintStack(stack); 294 DescribeHeapAddress(addr, 1); 295} 296 297void ReportStringFunctionMemoryRangesOverlap( 298 const char *function, const char *offset1, uptr length1, 299 const char *offset2, uptr length2, StackTrace *stack) { 300 ScopedInErrorReport in_report; 301 Report("ERROR: AddressSanitizer %s-param-overlap: " 302 "memory ranges [%p,%p) and [%p, %p) overlap\n", \ 303 function, offset1, offset1 + length1, offset2, offset2 + length2); 304 PrintStack(stack); 305 DescribeAddress((uptr)offset1, length1); 306 DescribeAddress((uptr)offset2, length2); 307} 308 309// ----------------------- Mac-specific reports ----------------- {{{1 310 311void WarnMacFreeUnallocated( 312 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 313 // Just print a warning here. 314 Printf("free_common(%p) -- attempting to free unallocated memory.\n" 315 "AddressSanitizer is ignoring this error on Mac OS now.\n", 316 addr); 317 PrintZoneForPointer(addr, zone_ptr, zone_name); 318 PrintStack(stack); 319 DescribeHeapAddress(addr, 1); 320} 321 322void ReportMacMzReallocUnknown( 323 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 324 ScopedInErrorReport in_report; 325 Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n" 326 "This is an unrecoverable problem, exiting now.\n", 327 addr); 328 PrintZoneForPointer(addr, zone_ptr, zone_name); 329 PrintStack(stack); 330 DescribeHeapAddress(addr, 1); 331} 332 333void ReportMacCfReallocUnknown( 334 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 335 ScopedInErrorReport in_report; 336 Printf("cf_realloc(%p) -- attempting to realloc unallocated memory.\n" 337 "This is an unrecoverable problem, exiting now.\n", 338 addr); 339 PrintZoneForPointer(addr, zone_ptr, zone_name); 340 PrintStack(stack); 341 DescribeHeapAddress(addr, 1); 342} 343 344} // namespace __asan 345 346// --------------------------- Interface --------------------- {{{1 347using namespace __asan; // NOLINT 348 349void __asan_report_error(uptr pc, uptr bp, uptr sp, 350 uptr addr, bool is_write, uptr access_size) { 351 ScopedInErrorReport in_report; 352 353 // Determine the error type. 354 const char *bug_descr = "unknown-crash"; 355 if (AddrIsInMem(addr)) { 356 u8 *shadow_addr = (u8*)MemToShadow(addr); 357 // If we are accessing 16 bytes, look at the second shadow byte. 358 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY) 359 shadow_addr++; 360 // If we are in the partial right redzone, look at the next shadow byte. 361 if (*shadow_addr > 0 && *shadow_addr < 128) 362 shadow_addr++; 363 switch (*shadow_addr) { 364 case kAsanHeapLeftRedzoneMagic: 365 case kAsanHeapRightRedzoneMagic: 366 bug_descr = "heap-buffer-overflow"; 367 break; 368 case kAsanHeapFreeMagic: 369 bug_descr = "heap-use-after-free"; 370 break; 371 case kAsanStackLeftRedzoneMagic: 372 bug_descr = "stack-buffer-underflow"; 373 break; 374 case kAsanInitializationOrderMagic: 375 bug_descr = "initialization-order-fiasco"; 376 break; 377 case kAsanStackMidRedzoneMagic: 378 case kAsanStackRightRedzoneMagic: 379 case kAsanStackPartialRedzoneMagic: 380 bug_descr = "stack-buffer-overflow"; 381 break; 382 case kAsanStackAfterReturnMagic: 383 bug_descr = "stack-use-after-return"; 384 break; 385 case kAsanUserPoisonedMemoryMagic: 386 bug_descr = "use-after-poison"; 387 break; 388 case kAsanGlobalRedzoneMagic: 389 bug_descr = "global-buffer-overflow"; 390 break; 391 } 392 } 393 394 Report("ERROR: AddressSanitizer %s on address " 395 "%p at pc 0x%zx bp 0x%zx sp 0x%zx\n", 396 bug_descr, (void*)addr, pc, bp, sp); 397 398 u32 curr_tid = asanThreadRegistry().GetCurrentTidOrInvalid(); 399 Printf("%s of size %zu at %p thread T%d\n", 400 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", 401 access_size, (void*)addr, curr_tid); 402 403 GET_STACK_TRACE_WITH_PC_AND_BP(kStackTraceMax, pc, bp); 404 PrintStack(&stack); 405 406 DescribeAddress(addr, access_size); 407 408 PrintShadowMemoryForAddress(addr); 409} 410 411void NOINLINE __asan_set_error_report_callback(void (*callback)(const char*)) { 412 error_report_callback = callback; 413 if (callback) { 414 error_message_buffer_size = 1 << 16; 415 error_message_buffer = 416 (char*)MmapOrDie(error_message_buffer_size, __FUNCTION__); 417 error_message_buffer_pos = 0; 418 } 419} 420 421void NOINLINE __asan_set_on_error_callback(void (*callback)(void)) { 422 on_error_callback = callback; 423} 424